Hidden proactive replication of data

ABSTRACT

Moving replicas in a cryptographically secure manner such that the target location and timing of the movements are completely hidden from any user, or is kept as a secret by a limited number of users who have been given advanced notice of the new location and relocation time for a replica. A catalog of replica locations that describe the current location of the replicas is stored in encrypted form so as to prevent individuals from determining the exact location of the replicas. Since the location of the replicas is hidden at any given moment, attackers may not use the location of the replicas in order to attack all of the replicas at the same time. Accordingly, recovery mechanisms may have an opportunity to recover from any given attack by once again creating replicas from those replicas that had not been attacked.

BACKGROUND OF THE INVENTION

[0001] 1. The Field of the Invention

[0002] The present invention relates to data replication, and moreparticularly, to the proactive replication of data using a hidden orsecret relocation algorithm that determines the target location andtiming of the relocation in a cryptographically secure way.

[0003] 2. Related Technology

[0004] Computing technology has transformed the way we work and play.Modern computer networking technologies and infrastructures allow fordifferent applications and users to electronically access data even overvast distances relatively quickly using readily-available computersystems. Such computer systems may include, for example, desktopcomputers, laptop computers, Personal Digital Assistants (PDAs), digitaltelephones, or the like.

[0005] This high level of data availability allows for numerous usefulservices to be offered over the Internet or other networks. Indeed, thelevel of data availability is considered a critical performancecomponent of many, if not most, network services. Customers often expectlittle, if any, interruptions in access to the data offered by givennetwork services. However, there are cases in which data may bedestroyed, thereby potentially causing significant, if not permanent,interruption in services that rely on access to that data.

[0006] For example, the computer system that stores the data maymalfunction causing the stored data to be corrupted. Perhaps a userinadvertently deleted or saved a different item over the stored data.Perhaps a disgruntled or malicious person intentionally destroyed thedata. Alternatively, the storage device that stores the data may bephysically damaged or destroyed. Regardless of the failure mechanism,such destruction of data may be catastrophic depending on the importanceand reconstructability of the data lost.

[0007] One conventional mechanism for guarding against such failure isto make multiple replicas of the data, and to store at least some of thereplicas on different computer systems or even in differentgeographically remote locations. The goal of such replication is tocontinue data availability even if one of the data replicas becomesinaccessible or destroyed. Should one of the replicas be destroyed, thedata may still be accessed via another of the replicas. In cases inwhich a minimum number of replicas is desired in order to allow a highdegree of security that all replicas will not be destroyed, the recoveryalgorithm of the replication system may generate further replicas inorder to compensate for any lost replicas.

[0008] The use of multiple replicas for guarding against such failureprovides significant security against many failure mechanisms. Forexample, if data is inadvertently deleted or intentionally destroyed,the data may still be accessed from other replicas. If a computer systemfails or the storage device is destroyed, the data may still be accessedfrom a replica on another computer system.

[0009] The use of multiple replicas assumes that there is a high degreeof independence between potential failure mechanisms for at least someof the replicas. For example, if the anticipated failure mechanism wasthat the computer system fails, independence from this failure mechanismmay be accomplished by storing a replica in another computer system. Ifthe anticipated failure mechanism was a geographically related problemsuch as a power outage, intentional physical destruction or naturaldisaster, independence may be accomplished by storing the replicas atgeographically remote distances. If the anticipated failure mechanismwas an intentional destruction of the data by an antagonist (alsocolloquially referred to as a “hacker”), then independence may be hopedfor if the antagonist is not aware of all of the replicas.

[0010] However, it is possible that individuals or organizations mightperform a malicious, sophisticated, and concerted attack against allcopies of the data substantially simultaneously. If such a maliciousattacker were to destroy all of the data replicas before the systemcould respond by recreating other copies, then the data might be lostforever. The loss in data would occur regardless of the fact that thesystem had a recovery mechanism to recreate replicas once one was lost,since all the replicas would be lost prior to the recovery mechanismbeing successful in creating further replicas.

[0011] One critical piece of information that might be required in orderto facilitate such a concerted attack is the location of each of thereplicas. In accordance with the principles of the present invention, areplication system is described which guards against such attacks bymoving the data around using a cryptographically secure algorithm suchthat the location of the replicas is either unknown to any user (evenpotentially system administrators), or is known to only a small group.Even if one were to know of the location of one or more thereafter wouldnot be able to be used to determine the current location of the replica.Accordingly, a concerted attack against all of the replicas would morelikely fail, thus allowing the replication system to more likely survivesuch an attack.

[0012] There are conventional replication systems that do move replicasaround periodically. However, such replication systems move replicasaround in order to perform what is called “software rejuvenation” or inorder to perform other housekeeping purposes unrelated to obscuring thelocation of the replicas. Software rejuvenation is performed bygracefully terminating an application, and then restarting theapplication with a clean internal state. Such rejuvenation is performedin order to counter an effect called “software aging” in which theperformance of software degrades over time. When it is time for one ofthe replicas of a software application to be rejuvenated, that replicais terminated and then restarted in a clean state. After terminating andbefore restarting, the replica may be moved to another location when,for example, the old location may be contributing or may be moresusceptible to software aging.

[0013] The use of software rejuvenation in replication systems has notconventionally made attempts at obfuscating the target location andmovement times for a replica. This is not surprising since performingsuch obfuscation of the target location would not advance the purpose ofperforming software rejuvenation. Accordingly, the occasional movementin replication systems due to software rejuvenation provides little, ifany, protection against a concerted attack against all replicas, sincethe location of the replicas are not hidden, even though the locationsare occasionally moved. If an antagonist could determine the oldlocation of the replicas, the antagonist may often be able to determinethe new location of the replicas.

BRIEF SUMMARY OF THE INVENTION

[0014] In accordance with the principles of the present invention, areplication system and method maintains a number of replicas of givendata. The replication system may have a recovery mechanism thatoptionally replaces any damaged or lost replicas if the current numberof replicas is too low for comfort. If all of the replicas weredestroyed prior to the recovery mechanism generating new replicas, thenthe given data may be lost. The principles of the present inventionprotect against such a concerted attack by moving each of the replicasaround in a less predictable or even completely random manner.

[0015] In particular, for each replica corresponding to given data, arelocation module within the replication system determines a targetlocation to move the replica to, and even potentially determines when tomove the replica. The target location and movement timing may bedetermined in a cryptographically secure manner using mechanisms such asa cryptographically generated random number.

[0016] The movement may also take into consideration non-random factorssuch as whether there is a current attack threat, the sensitivity of thedata, the memory availability of the computer system corresponding to apotential target location, the processing load of the computer systemcorresponding to a potential target location, the bandwidth and latencyof the connection between the current location of the replica and thepotential target location, and the extent to which the computer systemcorresponding to the target location is trusted. However, as introducingsuch non-random factors into the relocation decision making canintroduce some level of predictability into where a replica may belocated, care should be taken not to weight such non-random factors intothe decision making process too much.

[0017] The decision making process associated with relocation iscryptographically secure. For example, the code that corresponds tocritical decision making may be fully or partially encrypted, and onlydecrypted prior to execution and without allowing users access to thedecrypted decision making code. A catalog that identifies each of thereplicas and lists their corresponding location may also be secured. Forexample, the catalog may be encrypted or otherwise have access limitedto only authorized applications or uses. Since the replicas are movedaround without divulging the new location of the replicas, and sincethere is no unencrypted catalog listing the replicas and theircorresponding location or since the catalog is secured againstunauthorized access, it is less likely that anyone would know the exactlocation of all of the replicas corresponding to given data.Accordingly, it would be much more difficult, if not impossible, tosuccessfully complete a concerted attack against all of the replicassimultaneously. Accordingly, any attempted attack may be recovered fromusing the replication system's recovery algorithm.

[0018] The replication system may keep the new location of the replicashidden from the user, or the replication system may give advanced noticeto a limited number of users of the location and movement times of thereplicas. The limited number of users would then closely guard thatinformation as a secret. Either way, the opportunity for a concertedattack against all replicas for given data is substantially diminished,thereby improving the security of the data represented by the variousreplicas.

[0019] Additional features and advantages of the invention will be setforth in the description which follows, and in part will be obvious fromthe description, or may be learned by the practice of the invention. Thefeatures and advantages of the invention may be realized and obtained bymeans of the instruments and combinations particularly pointed out inthe appended claims. These and other features of the present inventionwill become more fully apparent from the following description andappended claims, or may be learned by the practice of the invention asset forth hereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

[0020] In order to describe the manner in which the above-recited andother advantages and features of the invention can be obtained, a moreparticular description of the invention briefly described above will berendered by reference to specific embodiments thereof which areillustrated in the appended drawings. Understanding that these drawingsdepict only typical embodiments of the invention and are not thereforeto be considered to be limiting of its scope, the invention will bedescribed and explained with additional specificity and detail throughthe use of the accompanying drawings in which:

[0021]FIG. 1 illustrates a suitable computer system in which theprinciples of the present invention may be employed;

[0022]FIG. 2 illustrates a network environment in which the principlesof the present invention may be employed; and

[0023]FIG. 3 illustrates a flowchart of a method for hiding replicas inaccordance with the principles of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0024] The principles of the present invention relate to methods,systems and computer program products for moving replicas in which thetarget location and potentially the timing of the movements arecompletely hidden from any user, or is kept as a secret by a limitednumber of users who have been given advanced notice of the new locationand relocation time for a replica. Whether the new location andrelocation times are completely hidden, or are kept as a secret by a fewwho were given advanced notice, the movements are coordinated by acryptographically secure algorithm. In addition, a catalog of replicalocations that describe the current location of the replicas is alsostored in encrypted form so as to prevent unauthorized individuals fromdetermining the exact location of replicas.

[0025] The embodiments of the present invention may comprisegeneral-purpose or special-purpose computer systems including variouscomputer hardware components, which are discussed in greater detailbelow. Embodiments within the scope of the present invention alsoinclude computer-readable media for carrying or havingcomputer-executable instructions, computer-readable instructions, ordata structures stored thereon. Such computer-readable media may be anyavailable media, which is accessible by a general-purpose orspecial-purpose computer system.

[0026] By way of example, and not limitation, such computer-readablemedia can comprise physical storage media such as RAM, ROM, EEPROM,CD-ROM or other optical disk storage, magnetic disk storage or othermagnetic storage devices, or any other media which can be used to carryor store desired program code means in the form of computer-executableinstructions, computer-readable instructions, or data structures andwhich may be accessed by a general-purpose or special-purpose computersystem.

[0027] In this description and in the following claims, a “network” isdefined as any architecture where two or more computer systems mayexchange data with each other. When information is transferred orprovided over a network or another communications connection (eitherhardwired, wireless, or a combination of hardwired or wireless) to acomputer system or computer device, the connection is properly viewed asa computer-readable medium. Thus, any such connection is properly termeda computer-readable medium. Combinations of the above should also beincluded within the scope of computer-readable media.Computer-executable instructions comprise, for example, instructions anddata which cause a general-purpose computer system or special-purposecomputer system to perform a certain function or group of functions.

[0028] In this description and in the following claims, a “computersystem” is defined as one or more software modules, one or more hardwaremodules, or combinations thereof, that work together to performoperations on electronic data. For example, the definition of computersystem includes the hardware components of a personal computer, as wellas software modules, such as the operating system of the personalcomputer. The physical layout of the modules is not important. Acomputer system may include one or more computers coupled via a computernetwork. Likewise, a computer system may include a single physicaldevice (such as a mobile phone or Personal Digital Assistant “PDA”)where internal modules (such as a memory and processor) work together toperform operations on electronic data.

[0029] In this description and in the following claims, a “replica” ofgiven data is a data structure (that may potentially include state) fromwhich the given original data may be recovered. The replica may be asimple copy of the given data, an encrypted form of the given data, acompressed form of the given data, or any other form from which thegiven data may be recovered. The given data may be an entire object ordata structure, or merely a portion thereof.

[0030] Those skilled in the art will appreciate that the invention maybe practiced in network computing environments with many types ofcomputer system configurations, including, personal computers, laptopcomputers, multi-processor systems, minicomputers, mainframe computers,network PCs, routers, gateways, firewalls, proxies, hand-held devices,microprocessor-based or programmable consumer electronics, mobiletelephones, PDAs, pagers, and the like. The invention may also bepracticed in distributed system environments where local and remotecomputer systems, which are linked (either by hardwired links, wirelesslinks, or by a combination of hardwired or wireless links) through acommunication network, both perform tasks. In a distributed systemenvironment, program modules may be located in both local and remotememory storage devices.

[0031]FIG. 1 and the following discussion are intended to provide abrief, general description of a suitable computing environment in whichthe invention may be implemented. Although not required, the inventionwill be described in the general context of computer-executableinstructions, such as program modules, being executed by computersystems. Generally, program modules include routines, programs, objects,components, data structures, and the like, which perform particulartasks or implement particular abstract data types. Computer-executableinstructions, associated data structures, and program modules representexamples of the program code means for executing acts of the methodsdisclosed herein.

[0032] With reference to FIG. 1, a suitable operating environment forthe principles of the invention includes a general-purpose computersystem in the form of a computer system 100. Computer system 100 may be,for example, a personal computer that has been adapted to perform theoperations disclosed herein.

[0033] Computer system 100 includes a user input interface 170 thatreceives information from an input device, such as, for example, akeyboard, microphone, or mouse. An input device can be coupled to userinput interface 170 so as to enable the entry of information. An inputdevice may transfer information over such a coupling in response topreprogrammed data or user manipulation of the input device.

[0034] Computer system 100 includes a video output interface 150 thatprovides a video output signal to external video display devices.Computer system 100 may be integrally positioned with or separate from avideo display device, such as, for example, a color or monochromecomputer monitor. A video display device can be coupled to video outputinterface 150 so as to receive a provided video output signal.

[0035] Similarly, computer system 100 includes an audio output interface130 that provides an audio output signal to external audio outputdevices. Computer system 100 may also be integrally positioned with orseparate from an audio system, which may include a speaker or otherdevice capable of emitting sound data. An audio system can be coupled toaudio output interface 130 so as to receive a provided audio outputsignal. In some cases, a video display device or an audio system will beunnecessary including when the computer system 100 does not directlyinterface with a human.

[0036] Computer system 100 includes processing unit 120, which allowsfor complex and flexible general-purpose processing capabilities.Processing unit 120 executes computer-executable instructions designedto implement features of computer system 100, including features of thepresent invention. Processing unit 120 is coupled to system bus 110,which also interconnects various other system components includingsystem memory 140.

[0037] System memory 140 generally represents a wide variety of volatileand/or non-volatile memories and may include types of memory previouslydiscussed. However, the particular type of memory used in computersystem 100 is not important to the present invention. Program code meanscomprising one or more program modules may be stored in system memory140. The one or more program modules may include an operating system141, one or more application programs 142, other program modules 143,and program data 144.

[0038] Computer system 100 may include mass storage interface 160, whichcan read data from and/or write data to a mass storage device, such as,for example, a magnetic disk or optical disk. A mass storage device canbe coupled to mass storage interface 160 so as to enable the reading andwriting of data. When a mass storage device is coupled to mass storageinterface 160, one or more program modules including operating system141, application programs 142, other program modules 143, and programdata 144 may be stored in the mass storage device.

[0039] Computer system 100 is connectable to networks, such as, forexample, an office-wide or enterprise-wide computer network, an intranetand/or the Internet. Computer system 100 includes network interface 180,through which computer system 100 receives data from external sourcesand/or transmits data to external sources. Computer system 100 mayexchange data with external sources, such as, for example, remoteprocessor systems and/or databases over such a network. Moderntechnology enables such network connections to be over high speedconnections such as, for example, fiber optic connections.

[0040]FIG. 1 represents a suitable operating environment for the presentinvention, the principles of the present invention may be employed inany system that is capable of, with suitable modification if necessary,implementing the principles of the present invention. The environmentillustrated in FIG. 1 is illustrative only and by no means representseven a small portion of the wide variety of environments in which theprinciples of the present invention may be implemented.

[0041]FIG. 2 illustrates a network environment 200 in which theprinciples of the present invention may be employed. The networkenvironment 200 includes a number of computer systems 201 through 205that may communicate over a network 220. There are four replicas 211through 214 of given data that are distributed throughout the computersystems 201 through 205. For example, computer system 201 stores tworeplicas 211 and 212 of the given data, while computer system 203 storesreplica 213 and computer system 205 stores replica 214. Computer systems202 and 204 do not currently store any of the replicas 211 through 214.A relocation module 221 manages the occasional relocation of thereplicas 211 through 214 so as to hide the new location of each of thereplicas from the public.

[0042] A catalog 222 has a record of the current location of each of thereplicas 211 through 214. In order to guard against discovery of theselocations, the catalog may be encrypted so that only those applicationsthat possess a given key (e.g., the relocation module 221 and anytrusted clients) may access the content of the catalog. The catalog mayalso be stored on a secure computing system that only allows access tothe catalog through a process that verifies the identity and authorityof an application or user attempting access.

[0043] While the relocation module 221 and the catalog 222 aregenerically illustrated within the network 220, they are only soillustrated to emphasize that the relocation module 221 and the catalog222 act as a facilitator for moving replicas between different computersystems over the network 220. However, the relocation module 221 and/orthe catalog 222 may be centrally located on one of the computer systems201 through 205. In that case, however, the relocation module 221 wouldsend messages over the network 220 instructing other computer systems onwhere and when to move a replica. However, unless such messages weresent over a secure communication channel, such messages may beintercepted thereby potentially allowing for an antagonist to determinewhere the replica will be or has been transferred to. In order to guardagainst this, the replication module 221 and the catalog 222 may beoperated in a distributed manner, with some or all of the computersystems 201 through 205 each capable of executing an instance of therelocation module 221 or access and updating an instance of the catalog222. In this way, fewer interceptable messages would be exchanged overthe network 220. Updating of the catalog 222 may be accomplished byadding encrypted entries such that communication of catalog updates isnot transmitted in the clear, without encryption. A relocation modulemay also be implemented on a computer system regardless of whether thecomputing system has any replicas stored thereon. A relocation module ona particular computing system may also be dedicated to managing only aportion (perhaps even just one) of the replicas stored thereon.

[0044] While the network environment 200 is illustrated as includingfive computer systems 201 through 205 that have distributed throughoutfour replicas 211 through 214, the principles of the present inventionmay operate with any number of computer systems with any number ofreplicas. For example, for less sensitive data, there may only be tworeplicas stored somewhere among three computer systems. However, formore sensitive data, there may be numerous replicas stored somewhereamong many hundreds of computer systems. By having the distributionacross many computer systems, it is more likely that an outsideantagonist could not guess or find out where all of the replicas arelocated so as to engage in a concerted attack against all of thereplicas.

[0045] Note that the replicas need not be exact copies of each other.For example, replica 214 has a minus sign on its upper right corner toemphasize that this replica may be a compressed form of the given data.For example, perhaps the computer system 205 has limited disk spaceavailable. Replica 213 has an asterisk on its upper right corner toemphasize that this replica may be an encrypted form of the given data.For example, the computer system 203 may reside in a different sphere oftrust than the other computer systems 201, 202, 204 and 205. Forexample, computer systems 201, 202, 204 and 205 reside in trusted zone230 while computer system 203 resides outside of the trusted zone 230.

[0046] Accordingly, in order to prevent the given data from beingdiscovered by those outside of the trusted zone 230, the relocationmodule 221 may facilitate the encryption of the replica 213 when it waspreviously moved to the computer system 203. Accordingly, the computersystem 203 may be enlisted within the replication system without havingeven to reside in the same trusted zone. This effect, along with recentadvances in high bandwidth interconnectivity, allows for the describedreplication system to be more distributed even throughout the globe andwithout requiring that the replication system be encompassed within acommon sphere of trust. Accordingly, the principles of the presentinvention may be used to offer the exchange of storage services betweendifferent enterprises.

[0047]FIG. 3 illustrates a flowchart of a method 300 for hiding thelocation of the replicas. The method 300 includes a functional,result-oriented step for moving replicas in a hidden manner (step 310).Although step 310 may include any corresponding acts for accomplishingthis purpose, in the illustrated embodiment of FIG. 3, step 310 includescorresponding acts 311, 312 and 313.

[0048] In particular, the step 310 includes an act of determining atarget location and/or movement time for a replica to be moved to usinga relocation algorithm implemented by relocation module 221 (act 312).The movement may have an element of randomness so as to make it moredifficult to predict where any given replica will be stored at any giventime. In order to introduce such randomness into the relocation, therelocation module 221 may use a cryptographically secure random numbergenerator so as to prevent antagonists from determining what the randomnumber will be.

[0049] The relocation module 221 may also consider a number ofnon-random factors when considering where and when to move a givenreplica. For example, the relocation module 221 may consider whetherthere is a current attack threat. For example, if there is an attackthreat detected for computer system 204, the relocation module 221 mayeliminate or reduce the chance that a replica would be relocated to thatcomputer system. A mechanism for detecting an attack threat is describedin co-pending, commonly-owned U.S. patent application Ser. No. [NOT YETASSIGNED-MICROSOFT DOCKET NUMBER 300208.01], entitled “DistributedThreat Management”, and filed Jul. 1, 2002, which patent application isincorporated herein by reference in its entirety.

[0050] The relocation module 221 may also consider the sensitivity levelof the data. For example, the greater the sensitivity of given data, themore frequently its replicas may be moved around. Also, the chance ofsending the higher sensitive data to computer systems outside of thetrusted zone may be reduced or even eliminated. For example, thecomputer system 203 might only serve as a storage site for replicas(even in encrypted form) if the corresponding data has less than acertain sensitivity level.

[0051] Also, the relocation module 221 may consider the trust level ofcomputer system associated with the target location. For example,regardless of the sensitivity, the computer system 203 may have a lowerprobability of storing a replica than the other computer systems 201,202, 204 and 205 for a given sensitivity level.

[0052] The relocation module 221 may also consider connection issuessuch as the bandwidth level for the connection to the target location,as well as load balancing issues such as the processing load level ormemory availability level for the computer system associated with thetarget location.

[0053] The relocation module 221 may also store replicas at a locationthat has relatively low latency just for conveniences sake, rather thanto protect against a concerted attack. For example, a Japanese languagee-mail service may choose to store a number of data replicas locally inJapan while also storing some data replicas relatively randomlythroughout the world.

[0054] Other types of non-random factors that may weigh into therelocation decision include the size of the data to be replicated, thefrequency of use of the data, the number and location of the consumersfree or total disk space on the target machine, as well as what powermanagement policy the source and target machine is using and what powermanagement state they are in.

[0055] While weighing such non-random factors into the relocationdecision may be useful, introducing too much weight for these non-randomfactors may introduce predictability into the decision making processthereby increasing the risk that an antagonist might guess the correctlocation of the replicas. This is particularly true where there arefewer computer systems in the replication system that may serve aspotential storage sites. For example, if there were only two replicas ofhighly sensitive material distributed throughout three computer systems,one of the computer systems being outside of a zone of trust, one mightguess that the two replicas are stored on one or both of the computersystems inside of the zone of trust. The replication system may considerhow many potential storage site computer systems there are in order toweight how much non-random factors may play a role in the decisionmaking process.

[0056] After the act of determining (act 312), the step 310 includes anact of moving the replica to the target location at the movement time(act 313). This is normally done by first creating a copy of the data inthe target location and then deleting the copy from the source location.Optionally, the relocation module 221 may determine that the targetlocation is on a computer system that is outside of trusted zone, andrespond by establishing the replica only in encrypted form. Also, therelocation module 221 may determine that the target location is on acomputer system that has memory resources that are lower than athreshold value, and respond by moving the replica only in compressedform whether or not the compressed data is also encrypted.

[0057] The step 310 includes an act of securing the relocation moduleagainst giving information identifying the target location/movement timeto any user at least prior to the act of determining (act 311). Forexample, the relocation module may be prevented from giving any noticeto any user at any time regarding the replica movements. In order toaccomplish this, the computer-executable instructions of the relocationmodule may be encrypted at least for those portions that when executedby a processor form the relocation module and allow the relocationmodule to function. When it comes time to execute those instructions,the instructions are decrypted using a decryption module that does notallow user access to any resulting decrypted computer-executableinstructions. Alternatively, one or more of the parameters in theinstructions may be encrypted, rather than encrypting all of theinstructions.

[0058] The relocation of a replica may be kept entirely hidden from anyuser as described above. Alternatively, however, a limited number of oneor more trusted users may be notified of the relocation of the replicain terms of when and where the relocation will or has occurred (act314). If this notification does occur, the notification may occur beforeor after the actual movement of the replica to the target location (act312). Even so, the determination of where that target location is to beis first made before notification occurs. In other words, the relocationmodule 221 is cryptographically secure such that the target locationand/or movement time cannot be inferred prior to the relocation module221 itself determining where the target location and/or movement timewill be. Less secure designs might also be appropriate if theenvironment the design is used in warrants it. For example, if therelocation module is run on a server machine that is in a physicallysecured room, it may be appropriate to rely on the operating system toimplement restricted access to the relocation module.

[0059] The method 300 then updates the catalog 222 to reflect that thetarget location is associated with the replica (act 315). Once again,the catalog 222 (or portions thereof may be in encrypted form so as tomake it more difficult for antagonists to discover the location of anyof the replicas. In addition or in the alternative, the catalog may bestored on a secure server that only allows access after identificationand authorization of an application or user requesting access.

[0060] Accordingly, the principles of the present invention make it muchmore difficult, if not impossible, for an antagonist to determine whereall replicas of given data are at any given time. Accordingly, theopportunity for performing a concerted attack against all of thereplicas of given data is substantially impaired. Accordingly, even if afew (but not all) of the replica locations are known, the recoverymechanism will more likely have time to recover from an attack byincreasing the number of replicas available.

[0061] The present invention may be embodied in other specific formswithout departing from its spirit or essential characteristics. Thedescribed embodiments are to be considered in all respects only asillustrative and riot restrictive. The scope of the invention is,therefore, indicated by the appended claims rather than by the foregoingdescription. All changes which come within the meaning and range ofequivalency of the claims are to be embraced within their scope.

What is claimed is:
 1. In an environment that includes at least onecomputer system that stores a plurality of replicas of given data, amethod for hiding the location of the replicas comprising the following:an act of determining a target location for a replica to be moved tousing a relocation algorithm implemented by a relocation module; an actof securing the relocation module against giving information identifyingthe target location to any user at least prior to the act ofdetermining; an act of moving the replica to the target location; and anact of updating a secure catalog of replica locations to reflect thatthe target location is associated with the replica.
 2. A method inaccordance with claim 1, wherein the act of updating a secure catalog ofreplica locations comprises the following: an act of updating an atleast partially encrypted catalog of replica locations.
 3. A method inaccordance with claim 1, wherein the act of updating a secure catalog ofreplica locations comprises the following: an act of updating a catalogon a secure server that limits access to the catalog to only thoseapplications and users that can identify themselves and that areauthorized to access the catalog.
 4. A method in accordance with claim1, further comprising the following: an act of the relocation moduledetermining a movement time for the replica to be moved to the targetlocation.
 5. A method in accordance with claim 4, wherein the relocationalgorithm considers whether or not there is a current threat whenperforming the act of determining a movement time for the replica.
 6. Amethod in accordance with claim 4, wherein the relocation algorithmconsiders a sensitivity level of the given data when performing the actof determining a movement time for the replica.
 7. A method inaccordance with claim 4, wherein the relocation algorithm considers atrust level of a computer system associated with the target locationwhen performing the act of determining a movement time for the replica.8. A method in accordance with claim 4, wherein the relocation algorithmconsiders a bandwidth level for a connection to the target location whenperforming the act of determining a movement time for the replica.
 9. Amethod in accordance with claim 4, wherein the relocation algorithmconsiders a load level for a computer system associated with the targetlocation when performing the act of determining a movement time for thereplica.
 10. A method in accordance with claim 4, wherein the relocationalgorithm considers a memory availability level for a computer systemassociated with the target location when performing the act ofdetermining a movement time for the replica.
 11. A method in accordancewith claim 4, wherein the relocation algorithm considers a networktraffic load for a computer system associated with the target locationwhen performing the act of determining a movement time for the replica.12. A method in accordance with claim 4, wherein the relocationalgorithm considers how easy it would be to monitor network traffic to acomputer system associated with the target location when performing theact of determining a movement time for the replica.
 13. A method inaccordance with claim 4, further comprising the following: an act ofsecuring the relocation module against giving information identifyingthe movement time to any user at least prior to the act of determining.14. A method in accordance with claim 13, wherein the act of securingthe relocation module against giving information identifying themovement time to any user at least prior to the act of determiningcomprises the following: an act of securing the relocation moduleagainst giving information identifying the movement time to any user atany time.
 15. A method in accordance with claim 13, further comprisingthe following: after the act of determining, an act of notifying one ormore users of an association between the movement time and the replica.16. A method in accordance with claim 15, wherein the act of notifyingone or more users of an association between the movement and the replicacomprises the following: an act of notifying the one or more users ofthe movement time prior to the movement time.
 17. A method in accordancewith claim 1, wherein the act of securing the relocation module againstgiving information identifying the target location to any user at leastprior to the act of determining comprises the following: an act ofsecuring the relocation module against giving information identifyingthe target location to any user at any time.
 18. A method in accordancewith claim 1, further comprising the following: after the act ofdetermining, an act of notifying one or more users of an associationbetween the target location and the replica.
 19. A method in accordancewith claim 18, wherein the act of notifying one or more users of anassociation between the target location and the replica comprises thefollowing: an act of notifying the one or more users of the targetlocation to which the replica will be moved prior to the act of movingthe replica to the target location.
 20. A method in accordance withclaim 18, wherein the act of notifying one or more users of anassociation between the target location and the replica comprises thefollowing: an act of notifying the one or more users of the targetlocation to which the replica has been moved after the act of moving thereplica to the target location.
 21. A method in accordance with claim 1,wherein the act of securing the relocation module against givinginformation identifying the target location to any user at least priorto the act of determining, comprises the following: an act of encryptingat least a portion of computer-executable instructions that whenexecuted by a processor form the relocation module and allow therelocation module to function; and prior to executing the portion ofcomputer-executable instructions that are encrypted, decrypting thecomputer-executable instructions using a decryption module that does notallow user access to any resulting decrypted computer-executableinstructions.
 22. A method in accordance with claim 1, furthercomprising the following: an act of determining that the target locationis on a computer system that is outside of trusted zone; and wherein thereplica is moved in encrypted form.
 23. A method in accordance withclaim 1, further comprising the following: an act of determining thatthe target location is on a computer system that has memory resourcesthat are lower than a threshold value, wherein the replica is moved incompressed form.
 24. A method in accordance with claim 1, wherein therelocation algorithm considers whether or not there is a current threatwhen performing the act of determining a target location for a replica.25. A method in accordance with claim 1, wherein the relocationalgorithm considers a sensitivity level of the given data whenperforming the act of determining a target location for a replica.
 26. Amethod in accordance with claim 1, wherein the relocation algorithmconsiders a trust level of a computer system associated with the targetlocation when performing the act of determining a target location for areplica.
 27. A method in accordance with claim 1, wherein the relocationalgorithm considers a bandwidth level for a connection to the targetlocation when performing the act of determining a target location for areplica.
 28. A method in accordance with claim 1, wherein the relocationalgorithm considers a load level for a computer system associated withthe target location when performing the act of determining a targetlocation for a replica.
 29. A method in accordance with claim 1, whereinthe relocation algorithm considers a memory availability level for acomputer system associated with the target location when performing theact of determining a target location for a replica.
 30. A computerprogram product for use in an environment that includes at least onecomputer system that stores a plurality of replicas of given data, thecomputer program product for implementing a method for hiding thelocation of the replicas the computer-program product comprising one ormore computer-readable-media having stored thereon the following:computer-executable instructions for determining a target location for areplica to be moved to using a relocation algorithm implemented by arelocation module; computer-executable instructions for securing therelocation module against giving information identifying the targetlocation to any user at least prior to the act of determining;computer-executable instructions moving the replica to the targetlocation; and computer-executable instructions for updating a securecatalog of replica locations to reflect that the target location isassociated with the replica.
 31. A computer-program product inaccordance with claim 30, wherein the one or more computer-readablemedia are physical storage media.
 32. A computer program product for usein an environment that includes at least one computer system that storesa plurality of replicas of given data, the computer program product forimplementing a method for hiding the location of the replicas thecomputer-program product comprising one or more computer-readable mediahaving stored thereon a relocation module adapted to perform thefollowing: determine a target location for a replica to be moved tousing a relocation algorithm implemented by a relocation module; abstainfrom giving information identifying the target location to any user atleast prior to the act of determining; move the replica to the targetlocation; and update a secure catalog of replica locations to reflectthat the target location is associated with the replica.
 33. A computerprogram product in accordance with claim 32, wherein the one or morecomputer-readable media are physical storage media.
 34. In anenvironment that includes at least one computer system that stores aplurality of replicas of given data, a method for hiding the location ofthe replicas comprising the following: an act of determining a targetlocation for a replica to be moved to using a relocation algorithmimplemented by a relocation module; an act of securing the relocationmodule against giving information identifying the target location to anyuser at least prior to the act of determining; an act of informing agroup of one or more users of an association between the target locationand the replica; and an act of moving the replica to the targetlocation.
 35. A method in accordance with claim 34, further comprisingthe following: an act of updating a catalog of replica locations toreflect that the target location is associated with the replica.
 36. Amethod in accordance with claim 35, wherein the act of updating acatalog of replica locations to reflect that the target location isassociated with the replica comprises the following: an act of updatingan encrypted catalog of locations to reflect that the target location isassociated with the replica.
 37. A method in accordance with claim 34,wherein the act of informing occurs prior to the act of moving.
 38. Amethod in accordance with claim 34, wherein the act of informing occursafter the act of moving.
 39. A method in accordance with claim 34,further comprising the following: an act of the relocation moduledetermining a movement time for the replica to be moved to the targetlocation.
 40. A method in accordance with claim 39, further comprisingthe following: an act of informing the group of one or more users of anassociation between the target location and the replica.
 41. A computerprogram product for use in an environment that includes at least onecomputer system that stores a plurality of replicas of given data, thecomputer program product for implementing a method for hiding thelocation of the replicas, the computer program product comprising one ormore computer-readable media having stored thereon the following:computer-executable instructions for determining a target location for areplica to be moved to using a relocation algorithm implemented by arelocation module; computer-executable instructions for securing therelocation module against giving information identifying the targetlocation to any user at least prior to the act of determining;computer-executable instructions for informing a group of one or moreusers of an association between the target location and the replica; andcomputer-executable instructions for moving the replica to the targetlocation.
 42. A computer program product in accordance with claim 41,wherein the one or more computer-readable media are physical storagemedia.